OWASP Security Audit
Systematic security audit against OWASP Top 10:2025. Apply when reviewing code that handles authentication, user input, API endpoints, data storage, or any security-sensitive functionality.
git clone --depth 1 https://github.com/ThamJiaHe/claude-code-handbook /tmp/owasp-security-audit && cp -r /tmp/owasp-security-audit/skills/examples/owasp-security-audit- ~/.claude/skills/owasp-security-auditowasp-security-audit-skill.md
# OWASP Security Audit
Systematic code audit against the OWASP Top 10:2025 vulnerability categories. Every security-sensitive code change must pass this checklist.
## Overview
This skill enforces a **mandatory 10-point security audit** based on the [OWASP Top 10:2025](https://owasp.org/Top10/):
1. A01 — Broken Access Control
2. A02 — Cryptographic Failures
3. A03 — Injection
4. A04 — Insecure Design
5. A05 — Security Misconfiguration
6. A06 — Vulnerable and Outdated Components
7. A07 — Identification and Authentication Failures
8. A08 — Software and Data Integrity Failures
9. A09 — Security Logging and Monitoring Failures
10. A10 — Server-Side Request Forgery (SSRF)
## When to Use
- Code that handles user authentication or sessions
- Any endpoint accepting user input
- Database queries with dynamic parameters
- File upload or download functionality
- API integrations with external services
- Cryptographic operations (hashing, signing, encryption)
- Admin panels or privilege-escalation-sensitive code
- Code that makes outbound HTTP requests
## A01: Broken Access Control
**Check:** Does every endpoint verify the user has permission to access the resource?
```typescript
// VULNERABLE: No authorization check
app.get('/api/users/:id', async (req, res) => {
const user = await db.user.findUnique({ where: { id: req.params.id } });
res.json(user);
});
// SECURE: Verify ownership or admin role
app.get('/api/users/:id', authenticate, async (req, res) => {
const user = await db.user.findUnique({ where: { id: req.params.id } });
if (user.id !== req.user.id && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Forbidden' });
}
res.json(user);
});
```
**Checklist:**
- [ ] Every endpoint has authentication middleware
- [ ] Authorization checks verify resource ownership
- [ ] Admin-only routes check role before processing
- [ ] CORS is configured to allow only trusted origins
- [ ] JWT tokens are validated on every request (not just present)
- [ ] Rate limiting is applied to sensitive endpoints
## A02: Cryptographic Failures
**Check:** Is sensitive data encrypted at rest and in transit?
```typescript
// VULNERABLE: Storing passwords with weak hashing
const hashedPassword = md5(password); // Never use MD5/SHA-1
// SECURE: Use argon2id or bcrypt with proper cost factor
import { hash, verify } from '@node-rs/argon2';
const hashedPassword = await hash(password, {
memoryCost: 65536,
timeCost: 3,
parallelism: 4,
});
const isValid = await verify(hashedPassword, inputPassword);
```
**Checklist:**
- [ ] Passwords use argon2id or bcrypt (never MD5/SHA-1/SHA-256 alone)
- [ ] API keys and secrets are in environment variables, not code
- [ ] TLS 1.2+ enforced for all connections
- [ ] Sensitive data encrypted at rest (database column-level encryption)
- [ ] No secrets in logs, error messages, or stack traces
- [ ] Cryptographic keys rotated on a schedule
## A03: Injection
**Check:** Is all user input parameterized or sanitized before use?
```typescript
// VULNERABLE: SQL injection via string concatenation
const query = `SELECT * FROM users WHERE email = '${email}'`;
// SECURE: Parameterized queries (Prisma does this automatically)
const user = await prisma.user.findUnique({
where: { email: sanitizedEmail },
});
// VULNERABLE: Command injection via string interpolation
// Using child_process.exec with user input allows shell injection
// SECURE: Use execFile with array arguments
// execFile('convert', [userFilename, 'output.pdf'])
// Array arguments prevent shell interpretation of special characters
```
**Checklist:**
- [ ] All SQL uses parameterized queries or ORM (Prisma, Drizzle)
- [ ] No string concatenation in database queries
- [ ] Shell commands use execFile() with array args, never string interpolation
- [ ] HTML output is escaped (React does this by default)
- [ ] `dangerouslySetInnerHTML` is never used with user input
- [ ] Email templates sanitize all interpolated values
- [ ] LDAP, XPath, and NoSQL queries use parameterized inputs
## A04: Insecure Design
**Check:** Does the system design prevent abuse by design?
```typescript
// SECURE: Rate limiting on login
import rateLimit from 'express-rate-limit';
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // 5 attempts per window
message: 'Too many login attempts. Try again in 15 minutes.',
});
app.post('/api/auth/login', loginLimiter, loginHandler);
// SECURE: Account lockout after failed attempts
if (user.failedLoginAttempts >= 5) {
throw new Error('Account locked. Contact support.');
}
```
**Checklist:**
- [ ] Rate limiting on authentication endpoints
- [ ] Account lockout after repeated failures
- [ ] Business logic validates impossible states (e.g., negative prices)
- [ ] Multi-step operations use CSRF tokens
- [ ] Password reset tokens expire (15-30 minutes)
- [ ] Sensitive operations require re-authentication
## A05: Security Misconfiguration
**Check:** Are security headers, defaults, and configurations hardened?
```typescript
// SECURE: Security headers with helmet
import helmet from 'helmet';
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
},
},
hsts: { maxAge: 31536000, includeSubDomains: true },
referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
}));
```
**Checklist:**
- [ ] Security headers set (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
- [ ] Debug mode disabled in production
- [ ] Default credentials changed
- [ ] Directory listing disabled
- [ ] Error pages don't leak stack traces or internal paths
- [ ] Unnecessary features and endpoints disabled
- [ ] HTTPS enforced everywhere (no HTTP fallback)
## A06: Vulnerable Components
**Check:** Are all dependencies up to date and vulnerability-free?
```bash
# Check for known vulnerabilitiesBuild REST APIs with proper error handling, status codes, request validation, response formatting, and rate limiting. Apply when creating API routes, handling errors, validating input, or designing API responses.
Harden REST and GraphQL APIs against common attack vectors. Apply when building API endpoints, implementing authentication, handling file uploads, or exposing APIs to external consumers.
Deploy Node.js applications on AWS using EC2, RDS, and managed services with security best practices. Apply when setting up AWS infrastructure, configuring databases, managing security, or optimizing costs.
Rapidly fix build failures, type errors, and lint issues with minimal diffs. Apply when builds fail, TypeScript reports errors, or CI/CD pipelines break. Focuses on getting the build green fast.
STRIDE-based threat modeling for application architecture. Apply when designing new systems, reviewing architecture, or assessing security posture of existing applications.
Production-ready Docker patterns for multi-stage builds, security hardening, and orchestration. Apply when creating Dockerfiles, docker-compose configs, or deploying containerized applications.
Enforces Conventional Commits, PR standards, merge conflict resolution, and branch management. Apply when committing code, opening PRs, resolving conflicts, managing branches, or handling Git operations.
Deploy Node.js applications on Google Cloud with Cloud Run, Cloud Firestore, and Google APIs. Implement OAuth2 authentication and manage service accounts. Apply when building serverless applications, integrating Google services, or deploying to GCP.